Bug 2132002 (CVE-2022-2928) - CVE-2022-2928 dhcp: option refcount overflow when leasequery is enabled leading to dhcpd abort
Summary: CVE-2022-2928 dhcp: option refcount overflow when leasequery is enabled leadi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-2928
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2132248 2132249 2132429
Blocks: 2131939
TreeView+ depends on / blocked
 
Reported: 2022-10-04 12:39 UTC by TEJ RATHI
Modified: 2023-05-16 16:53 UTC (History)
16 users (show)

Fixed In Version: dhcp 4.4.3-P1, dhcp 4.1-ESV-R16-P2
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow vulnerability was found in the DHCP server. When the "option_code_hash_lookup()" function is called from "add_option()", it increases the option's "refcount" field. However, there is not a corresponding call to "option_dereference()" to decrement the "refcount" field. The "add_option()" function is only used in server responses to lease query packets. Each lease query response calls this function for several options. Hence, a DHCP server configured with "allow lease query," a remote machine with access to the server, can send lease queries for the same lease multiple times, leading to the "add_option()" function being called repeatedly. This issue could cause the reference counters to overflow and the server to abort or crash.
Clone Of:
Environment:
Last Closed: 2023-05-16 16:53:53 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2502 0 None None None 2023-05-09 07:54:11 UTC
Red Hat Product Errata RHSA-2023:3000 0 None None None 2023-05-16 08:41:09 UTC

Description TEJ RATHI 2022-10-04 12:39:54 UTC 
A vulnerability was found in DHCP, where, a DHCP server configured with "allow leasequery;", a remote machine with access to the server can send lease queries for the same lease multiple times, leading to the "add_option()" function being repeatedly called. This could cause an option's "refcount" field to overflow and the server to abort. Internally, reference counters are integers and thus overflow at 2^31 references, so even at 1000 lease query responses per second, it would take more than three weeks to crash the server.

Versions affected:

- 4.1-ESV-R1 -> 4.1-ESV-R16-P1
- 4.4.0 -> 4.4.3

Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series), it is probable,
all versions after the introduction of lease query in ISC DHCP 3.0 are affected.
Comment 5 Guilherme de Almeida Suckevicz 2022-10-05 16:36:05 UTC 
Created dhcp tracking bugs for this issue:

Affects: fedora-all [bug 2132429]
Comment 7 errata-xmlrpc 2023-05-09 07:54:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2502 https://access.redhat.com/errata/RHSA-2023:2502
Comment 8 errata-xmlrpc 2023-05-16 08:41:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3000 https://access.redhat.com/errata/RHSA-2023:3000
Comment 9 Product Security DevOps Team 2023-05-16 16:53:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2928
Note You need to log in before you can comment on or make changes to this bug.